We have an IPsec VPN tunnel setup that works well from Windows and Android devices. It is using the vpn template Dialup – Forticlient (Windows, Mac OS, Android).
Is it possible to connect to this from Apply Iphone / Ipad devices? We have tried the Fortinet apps, yet they only have the option for SSL-VPN (not IPsec).
We’re using a fortigate 1500d on v5.6.11 build1700.
Definitely, I have a small FortiGate 50E at home and I’m using IPsec VPN using the built-in iOS VPN client.
Should be able to use the built in VPN clients, so long as you can match proposals, etc.
IPSec for client VPN tends to be a painful endeavour.
Thanks, but i’m reluctant to change the VPN proposals on the Fortigate, as I don’t want to break the VPN that is working from Windows and Android clients. It’s annoying that you can’t just change the VPN template type for a VPN on the Fortigate, you have to create a new VPN with new rules or convert to custom template.
It all hinges on what configs the listed OSes/client applications use, and whether they are configurable.
You can try simply connecting a test Apple device to the existing dialup tunnel for Windows/Android. If it works, job done. If not, you will need to check at least the ike -1 outputs to try and figure out what needs to be changed/added to get it working. (worst case you will need separate phase1 configs (~tunnels) for Apple and Win/Android devices)
Just curious why IPsec instead of using FortiClient SSL with PKI?
You could simply add another proposal if you like, it is not required to modify the existing ones
Good question. SSLVPN is nice as it commonly connects to port 443 which is allowed in practically any network worldwide.
Although I do not have any academic answer, I feel like IPsec is safer as it is a more established, documented standard in contrast to Vendor-specific SSLVPN implementations. Thats why I chose IPsec over SSLVPN.
EDIT: Funny enough, I’ve ran into SSTP for the first time in my life today. It looks a lot like many “Vendor-specific” SSLVPN implementations, so I wouldn’t be surprised if e.g. FortiClient SSLVPN turns out to be SSTP-based.
can I have two different proposal’s on the same IP? thanks
Sure thing, just add another proposal to your existing tunnel. No need to configure a second tunnel either.